Support Forum

Got a user A that was added to the GroupA
Got a user B that was added to the GroupB

Created the following permissions:

1.) GruopA | Download::Category | 1:: | Admin
2.) GruopB | Download::Category | 2:: | Admin
3.) GroupA | Download::Add | :: | Admin
4.) GroupB | Download::Add | :: | Admin
5.) Users | Download::Category | 1:: | None
6.) Users | Download::Category | 2:: | None
7.) Unregistered | Download:: | .* | None

Aim:
1.) User A (GroupA) can only see category1 and can only upload to category1
2.) User B (GroupB) can only see category2 and can only upload to category2

The users only see categories they should see when the enter the download area. That works fine!
That means user A only sees category 1 and user B only sees category 2. I?m happy with that.

Problem:
If user A logs in to ADD (!) a download, he can see in the dropdown "Choose category:" all the categories he shouldn't see. He can even add a download to a category he shouldn't see, ALTHOUGH he gets a permission denied error.

I hope it became clear what I'm trying to achieve.
Does anyone know what I'm doing wrong?

Thank you!
--
nitz




edited by: nitz, Apr 18, 2008 - 06:17 AM

Hi All

If I could just prevent users from seeing categories in the dropdown "Choose category:" they shouldn?t see when they add a download.

That would already make my day.

Thank you!
--
nitz

Oh please, doesn't anyone know a solution?
I tried to understand the code. Found where the dropdown is populated, but can't figure out how to prevent the population of categories a user shouldn't see.

--
nitz

Hi,
Line 933 of pnuserapi.php it might work to change:

Code

while( list($cid)=$result->fields )
    {
        $result->MoveNext();
        if ($sel == $cid)
        {
            $selstr = 'selected="selected"';
        }
        else
        {
            $selstr = '';
        }
            $categories_list .= "<option value=\"$cid\" $selstr>".Downloads_userapi_catNavPath(array('cid' => $cid, 'start' => 0, 'links' => 0, 'linkmyself' => 0))."</option>";
            $categories_list .= Downloads_userapi_catSelectList(array('cid' => $cid, 'sel' => $sel));
    }

to

Code

while( list($cid)=$result->fields )
    {
        $result->MoveNext();
        // Security check
        if (pnSecAuthAction(0, 'Downloads::Category', "$cid::", ACCESS_ADD))
        {
            if ($sel == $cid)
            {
                $selstr = 'selected="selected"';
            }
            else
            {
                $selstr = '';
            }
                $categories_list .= "<option value=\"$cid\" $selstr>".Downloads_userapi_catNavPath(array('cid' => $cid, 'start' => 0, 'links' => 0, 'linkmyself' => 0))."</option>";
                $categories_list .= Downloads_userapi_catSelectList(array('cid' => $cid, 'sel' => $sel));
        }      
    }

I have not tested it, since I don't really use Downloads. Test it out and report back if it works or not works

Great Stuff!

Yes, did some quick testing and it seems to work. I'll just have to review some permissions and will test in detail during the weekend.

Wow, thanks a million!

--
nitz

It's an adjustment of the creation of the category select options with cat permissions.
If it works it might be a good idea to file a bug in the NOC and supply the solution with it. Then in the next version you don't have to hack it in there any more.